OFFTOPIC Re: Getting HttpSession by ID

[Olve Hansen <ol...@intermedia.uib.no>]

fre, 03,.06.2005 kl. 10.00 +0300, skrev Krutyakov Roman:

> В Птн, 03/06/2005 в 08:37 +0200, Olve Hansen пишет:
> > ons, 01,.06.2005 kl. 12.47 +0300, skrev Krutyakov Roman:
> > > Hello,
> > > 
> > > Is there any way to access to HttpSession by its id?
> > > I have an application based on Tapestry 4 and Spring with Acegi and
> > > want
> > > to control concurrent user logins.
> > > After successful user authentication i need to check does this user
> > > already have non-expired session (for 
> > 
> > Acegi have this option built in.
> > 
> > Forum messages discussing this feature:
> > http://forum.springframework.org/viewtopic.php?t=3935&start=0&postdays=0&postorder=asc&highlight=same+user
> > http://forum.springframework.org/viewtopic.php?t=4289&highlight=same
> > +user
> > 
> > The feature described in the ref docs:
> > http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-concurrent-login
> > 
> 
> this is solution for forbidding login when same user is already logged
> in, ie "first wins" rule. I need "last wins" rule implementation.
> 


This is getting off-tapestry topic.

Of course.. I see from the acegi source that this could be done, but it
is not configurable. The ConcurrentSessionControllerImpl keeps a list of
all session ids for each logged in principal, so it should be possible
in some way. It also publishes an event ConcurrentSessionViolationEvent
so that another bean registered to receive events might do something
interesting with that one.

I just take this from the top of my head, so I really don't know if it
is possible, but it should be. The logic should be to tell acegi to log
out the session id of the other user (the first one) on his next request
(when the session in question is available), not invalidating the first
users session  from another users request. 

HTH

Olve